European Commission ready to start talks with US on personal data agreement to fight terrorism or crime

EU Justice Ministers today approved the start of talks between the European Union and the United States on a personal data protection agreement when cooperating to fight terrorism or crime. The European Commission adopted the draft mandate for negotiating such an agreement on 26 May 2010 (see IP/10/609). The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters. Once in place, the agreement would enhance citizens’ right to access, rectify or delete data when it is processed with the aim to prevent, investigate, detect or prosecute criminal offences, including terrorism.

"Protection of personal data is a fundamental right for EU citizens. To guarantee this right, we need to be ambitious in our approach to personal data protection – both at home and abroad," said Vice-President Viviane Reding, the EU's Justice Commissioner. "Today's decision gives us the green light to negotiate a solid and coherent agreement with the United States which balances enforceable rights for individuals with the strong cooperation we need to prevent terrorism and organised crime. I look forward to meeting my US counterparts in Washington next week to kick start these important negotiations."

Since 11 September 2001 and subsequent terrorist attacks in Europe, the EU and US have stepped up police and judicial cooperation in criminal matters. Sharing relevant information is an essential element of effective cooperation in the fight against crime – both within the EU and with the US. One important element is the transfer and processing of personal data for the prevention, investigation, detection or prosecution of crimes, including terrorism.

The EU and US are both committed to the protection of personal data and privacy. However, they still have different approaches in protecting personal data, leading to some controversy in the past when negotiating information exchange agreements (such as the Terrorist Finance Tracking Programme or Passenger Name Records). The purpose of the negotiations approved today is also to address and overcome these differences.

Following today’s decision by Justice Ministers, the Commission now has a mandate to negotiate an umbrella agreement for personal data transferred to and processed by competent authorities in the EU and the US. The mandate aims to achieve an agreement which:

provides for a coherent and harmonised set of data protection standards including essential principles such as proportionality, data minimisation, minimal retention periods and purpose limitation;

contains all the necessary data protection standards in line with the EU's existing data protection rules, such as enforceable rights of individuals, administrative and judicial redress or a non-discrimination clause;

ensures the effective application of data protection standards and their control by independent public authorities.

The agreement would not provide the legal basis for any specific transfers of personal data between the EU and the US. A specific legal basis for such data transfers would always be required. The new EU-US data protection agreement would then apply to these data transfers.

The Commission will keep the European Parliament fully informed at all stages of the negotiations.

Background

The protection of personal data is set out in Article 8 of the EU Charter of Fundamental Rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the EU and EU Member States when they implement EU law. The Lisbon Treaty (Article 16, Treaty on the Functioning of the EU) says that the EU can make rules on the protection of personal data processed by EU institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of EU law.

The European Parliament, in a resolution on 26 March 2009, called for an EU-US agreement that ensures adequate protection of civil liberties and personal data protection. In December 2009, the European Council invited the Commission to propose aRecommendation "for the negotiation of a data protection and, where necessary, data sharing agreements for law enforcement purposes with the US."

On 26 May 2010, the Commission proposed a draft mandate for negotiating a personal data protection agreement between the EU and the US (IP/10/609 and MEMO/10/216).

On 4 November 2010, the Commission set out its strategy to modernise the EU framework for data protection rules (see IP/10/1462).